Europe's New Data 'Privacy Shield' Looks Leaky

The European Union and the United States reached a new deal Tuesday on privacy protections for Europeans’ data that gets sent to U.S. servers. The agreement, to be called Privacy Shield, replaces an agreement repudiated by the European Court of Justice in October. That’s good news for major corporations like Facebook and Google that want continued access to their European users’ data.

But the new agreement requires scrutiny itself, which European regulators and probably the ECJ are going to give it. Notwithstanding the powerful business interests at stake, there’s reason to think that the agreement may have loopholes that make it difficult for those bodies to uphold.

The arrangement from 2000, called Safe Harbor, was struck down by the ECJ essentially on the ground that American companies were giving the National Security Agency access to Europeans’ data. The question before the European court was whether data transferred to the U.S. receives an “adequate level of protection” under the EU’s Data Protection Directive.

The answer was no -- and for complicated reasons. The court acknowledged that under U.S. law, statutory and constitutional requirements trumped the Safe Harbor agreement. It went on to say that, based on the revelations of former NSA contractor Edward Snowden, the level of privacy protection provided in practice by the U.S. wasn’t high enough to satisfy European standards. The agreement was therefore rejected.

It’s crucial to realize that the ECJ judgment included the recognition that, under EU law, it’s all right for a government to peek at consumers’ private data under some circumstances. What the court was saying, was that U.S. law wasn’t protective enough to satisfy European standards. It looked to a judgment by the High Court of Ireland, holding said that “the revelations made by Edward Snowden had demonstrated a ‘significant over-reach’ on the part of the NSA and other federal agencies.”

In particular, the Irish court was concerned that European citizens “have no effective right to be heard” by U.S. courts if the privacy of their data is breached by security agencies because the breach takes place in secret.

The ECJ had to admit that EU law doesn’t contain “a definition of the concept of an adequate level of protection.” But it concluded that adequacy must mean “a level of protection of fundamental rights and freedoms that is essentially equivalent to that guaranteed within the European Union.”

In other words, if U.S. privacy protection was weaker than EU protection, the agreement must be invalidated. The new agreement must be assessed against this background to see if it will pass legal muster.

The highlight of the deal, emphasized by the European Commission in its announcement, is what’s supposed to be “written assurance” from the U.S. that Europeans’ data will be protected. Under the agreement, the U.S. director of national intelligence will certify that Europeans’ data won’t be subject to “mass surveillance.” That sounds better than the old agreement, which didn’t include an explicit promise from the intelligence community.

But the DNI will almost surely be able to make this promise in very general terms. And, in practice, even targeted American surveillance might still be much broader and less privacy-protecting than anything European countries typically allow. The U.S. says it will review data proportionately, which means something specific in Europe but could well mean something different in the U.S.

What’s more, under U.S. law, there’s ordinarily little or no protection for data belonging to foreigners so long as it’s outside the U.S. That law hasn’t changed. It seems at least possible that the NSA might simply try to target Europeans’ data before it gets transferred to the U.S. If it’s doing so covertly, no one will know about it to complain.

Another provision of the new agreement creates an ombudsman for Europeans to raise data privacy concerns. This is presumably intended as a means of recourse and to satisfy the Irish court’s worry about secrecy. But he or she probably won’t have access to the U.S.’s secret interpretations of law or secret surveillance.

A further provision says that U.S. companies must agree to robust privacy protections before transferring data. That should probably keep them from voluntarily transferring data to the NSA in violation of privacy regulations. But if U.S. law requires the transfer, they’ll still have to comply.

All this means is that there’s plenty of room for the ECJ to find that Privacy Shield is inadequate like its predecessor. But will it?

That depends in part on how strongly the EU rates its negotiating position. No one in the European political elite really wants to give up on Facebook or Amazon. And no EU bureaucrat really thinks the U.S. will change its national security laws to please the EU.

The new agreement is a pragmatic compromise meant to preserve legal formality and the fig leaf of data privacy without upsetting national security either for the U.S. or for European intelligence services that might like a chance to see their own citizens’ data.

The ECJ may not want to upset this delicate balance. In that case, it can assess the new agreement generously. That would solve the practical problem. Bu the disparity between European and American conceptions of privacy will remain.